The RobustRailS Verification Tool Setfor Safety Verification of Interlocking Systems
Linh, H. Vu, Technical University of DenmarkAnne E. Haxthausen, Technical University of DenmarkJan Peleska, University of Bremen
RobustRailS Verification Method & Tools
38
Strækningshastigheden vil desuden kunne øges på enkelte strækninger, når der er installeret et nyt signalsystem, idet togkontrol og førerrumssignalering er en sikker-hedsmæssig forudsætning for strækningshastigheder over 120 km/t, jf. kapitel 6.
Det nye togkontrolsystem kan håndtere hastigheder på mere end 200 km/t. Det vil således være sporets udformning, der vil være begrænsende i forhold til hastigheds-opgraderinger. En række strækninger, hvor hastigheden i dag begrænses af signal-systemet, vil uden videre kunne anvendes ved den hastighed sporet giver mulighed for.
Togkontrolsystemet i ERTMS udfører de samme funktioner som det nuværende danske ATC system. Det vil således stadig være lokomotivføreren, som varetager styringen af toget. Togkontrolsystemet vil fortsat være en sikkerhedsfunktion, der nedbremser toget, hvis lokomotivføreren ikke reagerer korrekt på signalerne. 4.3.3 Teknisk udviklingsstade for ERTMS niveau 1 og 2
Fastlæggelsen af ERTMS-standarden for niveau 1 og 2 handler om, at der skal op-nås enighed om, hvilken løsning blandt fl ere allerede eksisterende løsninger, der skal være den fælles standard. Derefter skal det sikres, at de valgte løsninger for de forskellige funktioner kan fungere sammen. Fastlæggelsen af ERTMS-standarden handler således ikke om at udvikle nye løsninger, men om at opnå enighed om hvilke løsninger der skal anvendes og få produkterne til at fungere sammen. Problemstil-lingen er uafhængig af valget af ERTMS niveau 1 eller niveau 2.
ETCS
Akseltællere
Fast mærke
Sikrings-anlæg
Fjernstyrings-central
Radioblok-center
Eurobalise(Km-sten)
Eurobalise(Km-sten)
Togdetektering Sporskiftedrev
Trafikleder
GSM-R data
ERTMS niveau 2: Interoperabel jernbane uden ydre signaler
Figur 4.2ERTMS niveau 2: Interoperabel jernbane uden ydre signaler.
• Method and tool set for automated, formal safety verification of interlocking systems.• Were developed by Linh H. Vu, Anne Haxthausen, Jan Peleska, in collaboration with
the Danish railways in the RobustRailS. research project.• RobustRailS research project, 2012-2017:
• Funded by the Danish Innovation Fund.• Partners: 4 DTU departments, Bremen University, Banedanmark, Traffic
Authorities, DSB, DSB S-train.
• Goal: to develop methods for achieving punctual and safe railway operations
for the Danish Re-signaling Program implementing ERTMS/ETCS Level 2.
• methods for efficient safety verification• ...
2 RobustRailS Verification Tool Set 17.06.2019
Background: Challenges
• Errors in interlocking systems may have very severe consequences.
• Conventional specification & verification methods may be time consuming and notgive sufficient guaranties for correctness.
• Bugs typically first found during testing −→ expensive to fix.
• −→ Need to get it right from the beginning.
3 RobustRailS Verification Tool Set 17.06.2019
Smarter Specification and Verification Methods
:safe states :unsafe states
state space
reachable states
Use Formal Methods and Automation:
• strongly recommended by CENELEC 50128 for safety-critical software• efficient
• to avoid bugs• to catch bugs early, before implementation and test
−→ saves time and money
4 RobustRailS Verification Tool Set 17.06.2019
RobustRailS Verification Method & Tools
t10 t14t13t12mb10 mb14mb13
mb12mb11 mb15t20
mb21
mb20
t11
UPDOWN
b10 b14
(0) developor generate
route from to path points markerboards conflicts1a mb10 mb13 t10;t11;t12 t11:+;t13:- mb11;mb12;mb20 1b;2a;2b;3;4;5a;5b;6b;7
.
.
.7 mb20 mb11 t11;t10 t11:- mb10;mb12 1a;1b;2a;2b;3;5b;6a8 mb21 mb14 t13;t14 t13:- mb13;mb15 1b;2a;4;5a;5b;6a;6b
(step 2.1)generator
model
safetyrequirements
(step 2.2)Model checkerinvestigates:does modelmeet the
requirements?
⇥
X(step 1)static checker
⇥ X
Possible human manipulation
1.1 Input: track plan.
1.2 The tool automatically generates a route control table, if not provided.
1.3 The tool checks that the track plan and route control table are correct.
2.1 The tool generates
• a formal model of the behaviour of the interlocking system
• formal safety requirements (e.g no train collisions). x
2.2 A model checker (dis-)proves the model meets the requirements.
3.1 The tool generates test cases and a test oracle for software integration testing.
5 RobustRailS Verification Tool Set 17.06.2019
RobustRailS Verification Method & Tools
t10 t14t13t12mb10 mb14mb13
mb12mb11 mb15t20
mb21
mb20
t11
UPDOWN
b10 b14
(0) developor generate
route from to path points markerboards conflicts1a mb10 mb13 t10;t11;t12 t11:+;t13:- mb11;mb12;mb20 1b;2a;2b;3;4;5a;5b;6b;7
.
.
.7 mb20 mb11 t11;t10 t11:- mb10;mb12 1a;1b;2a;2b;3;5b;6a8 mb21 mb14 t13;t14 t13:- mb13;mb15 1b;2a;4;5a;5b;6a;6b
(step 2.1)generator
model
safetyrequirements
(step 2.2)Model checkerinvestigates:does modelmeet the
requirements?
⇥
X(step 1)static checker
⇥ X
Possible human manipulation
• Verification in three steps:• The static checking step is used to find errors in the control table.• The model checking step is used to find errors in the control algorithms.• The model-based testing step is used to find errors in the implemented system.
• Features:• “Model hiding”: Models automatically generated from domain-specific railway
specifications−→ can be used by railway engineers without background in formal methods.
• Verification based on induction reasoning using bounded model checkingpushes the limits for state space explosion.
6 RobustRailS Verification Tool Set 17.06.2019
Applications of the Method & Tools
t10 t14t13t12mb10 mb14mb13
mb12mb11 mb15t20
mb21
mb20
t11
UPDOWN
b10 b14
(0) developor generate
route from to path points markerboards conflicts1a mb10 mb13 t10;t11;t12 t11:+;t13:- mb11;mb12;mb20 1b;2a;2b;3;4;5a;5b;6b;7
.
.
.7 mb20 mb11 t11;t10 t11:- mb10;mb12 1a;1b;2a;2b;3;5b;6a8 mb21 mb14 t13;t14 t13:- mb13;mb15 1b;2a;4;5a;5b;6a;6b
(step 2.1)generator
model
safetyrequirements
(step 2.2)Model checkerinvestigates:does modelmeet the
requirements?
⇥
X(step 1)static checker
⇥ X
Possible human manipulation
• The Early Deployment Line, Roskilde - Næstved, in Denmark [Vu, Haxthausen,Peleska 2017]: Untitled map
Untitled layer
Roskilde Station
Gadstrup St.
Havdrup St.
Lille Skensved St.
Køge St.
Herfølge St.
Tureby St.
Haslev St.
Holme-Olstrup St.
Næstved St.
EDL
• Florence station in Italy [Fantechi, Haxthausen, Macedo 2017]:
7 RobustRailS Verification Tool Set 17.06.2019
Compositional Verification
• Suggested by Fantechi, Haxthausen, Macedo 2017-... .• Goal: to further increase the scalability of the verification method.• Idea: cut the interlocking logic of large layouts into separate, more manageable,
portions, so that proving safety of the portions implies safety of the whole.
t25 t28t26 t27B stationA station
E1
t7
E8
T1
t13
t11
E19
E26
T16 T19
E2
t5
E10
T2 t12
E17
E24
T15 T18
E3t9
E12
T3E15
E22
T14 T17
t8 t10
t6
• Experiments show: compositional verification is 2.5− 3× faster, uses 30− 40% lessmemory.
Early Deployment Line (EDL) in Denmark and Florence Station in ItalyUntitled map
Untitled layer
Roskilde Station
Gadstrup St.
Havdrup St.
Lille Skensved St.
Køge St.
Herfølge St.
Tureby St.
Haslev St.
Holme-Olstrup St.
Næstved St.
EDL
8 RobustRailS Verification Tool Set 17.06.2019
Thank you for your attention.
9 RobustRailS Verification Tool Set 17.06.2019